Address groups for firewall policies

An address group contains multiple IP addresses, IP address ranges in CIDR format, or both. Each address group can be used by multiple resources, such as rules in Cloud NGFW firewall policies or rules in Google Cloud Armor security policies.

Updates to an address group are automatically propagated to the resources that reference the address group. For example, you can create an address group containing a set of trusted IP addresses. To change the set of trusted IP addresses, you update the address group. Your updates to the address group are reflected in each associated resource automatically.

Specifications

Address group resources have the following characteristics:

  • Each address group is uniquely identified by a URL with the following elements:
    • Container type: Determines the address group type—organization or project.
    • Container ID: ID of the organization or the project.
    • Location: Specifies if the address group is a global or regional resource (such as europe-west).
    • Name: The address group name with the following format:
      • A string 1-63 characters long
      • Includes only alphanumeric characters
      • Must not start with a number
  • You can construct a unique URL identifier for an address group in the following format:

    <containerType>/<containerId>/locations/<location>/addressGroups/<address-group-name>
    

    For example, a global address group example-address-group in project myprojecthas the following unique 4-tuple identifier:

    projects/myproject/locations/global/addressGroups/example-address-group
    
  • Each address group has an associated type that can be either IPv4 or IPv6, but not both. The address group type cannot be changed later.

  • Each IP address or IP range in an address group is referred to as an item. The number of items that you can add to an address group depends on the address group's capacity. You can define the item capacity during address group creation. This capacity cannot be changed later. The maximum capacity that you can configure for an address group varies depending on the product with which you use the address group.

  • You must specify the capacity and type when you create an address group. In addition, when you use Google Cloud Armor, you must set the purpose field to CLOUD_ARMOR.

  • When you create an address group with a purpose that is not CLOUD_ARMOR, the address group has a maximum capacity of 1,000 IP addresses.

Types of address groups

Address groups are classified based on their scope. The scope identifies the level at which the address group is applicable in the resource hierarchy. Address groups are categorized into the following types:

An address group can be either project-scoped or organization-scoped, but not both.

Project-scoped address groups

Use project-scoped address groups when you want to define your own list of IP addresses to be used within a project or a network to block or allow a list of changing IP addresses. For example, if you want to define your own threat intelligence list and add it to a rule, create an address group with the required IP addresses.

The container type for project-scoped address groups is always set to project. For more information about how to create and modify project-scoped address groups, see Use project-scoped address groups.

Organization-scoped address groups

Use organization-scoped address groups when you want to define a central list of IP addresses that can be used in high-level rules to provide consistent control for the entire organization and reduce the overhead for individual network and project owners to maintain common lists, such as trusted services and internal IP addresses.

The container type for organization-scoped address groups is always set to organization. For more information about how to create and modify organization-scoped address groups, see Use organization-scoped address groups.

IAM roles

To create and manage an address group, you need the Network Administrator role (compute.networkAdmin) or the Security Administrator role (compute.securityAdmin). You can also define a custom role with an equivalent set of permissions.

The following table provides a list of Identity and Access Management (IAM) permissions required to perform a set of tasks on address groups.

Task IAM role name IAM permissions
Create and manage address groups compute.networkAdmin

compute.securityAdmin

networksecurity.addressGroups.*
Discover and view address groups compute.networkUser networksecurity.addressGroups.list

networksecurity.addressGroups.get

networksecurity.addressGroups.use

For more information about which roles include specific IAM permissions, see the IAM permissions reference.

How address groups work with firewall policies

Address groups simplify the configuration and maintenance of firewall policies. You can share the IP addresses across firewall policies and define more complex, consistent, and robust firewall policies for your network with reduced maintenance overhead. Consider the following additional specifications when you use address groups with firewall policies:

What's next